Second Edition Chapter 1 Ethical Hacking Overview Objectives After this lecture and completing the exercises, you will be able to: Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you cant do as an ethical hacker Hands-On Ethical Hacking and Network Defense, Second Edition 2 Introduction to Ethical Hacking Ethical hackers Hired by companies to perform penetration tests Penetration test Attempt to break into a companys network to find the weakest link Security test More than a break in attempt; includes analyzing companys security policy and procedures Vulnerabilities are reported Hands-On Ethical Hacking and Network Defense, Second Edition 3 The Role of Security and Penetration Testers Hackers Access computer system or network without authorization Breaks the law; can go to prison Crackers Break into systems to steal or destroy data U.S. Department of Justice calls both hackers Ethical hacker Performs most of the same activities with owners permission Hands-On Ethical Hacking and Network Defense, Second Edition 4 The Role of Security and Penetration Testers (contd.) Script kiddies or packet monkeys Younger, inexperienced hackers who copy codes from knowledgeable hackers Programming languages used by experienced penetration testers Practical Extraction and Report Language (Perl) C language (including Java, C#, C++ etc.) Script Set of instructions Runs in sequence to perform tasks Hands-On Ethical Hacking and Network Defense, Second Edition 5 The Role of Security and Penetration Testers (contd.) Tiger box Collection of tools Used for conducting vulnerability assessments and attacks E.g. Backtrack is a world-renowned Unix based OS with many testing tools for conducting network attacks Hands-On Ethical Hacking and Network Defense, Second Edition 6 Penetration-Testing Methodologies White box model Tester is told about network topology and technology Tester is permitted to interview IT personnel and company employees Makes testers job a little easier Black box model Staff does not know about the test Tester is not given details about technologies used Burden is on tester to find details Tests security personnels ability to detect an attack Hands-On Ethical Hacking and Network Defense, Second Edition 7 Hands-On Ethical Hacking and Network Defense, Second Edition 8 Figure 1-1 A sample floor plan Penetration-Testing Methodologies (contd.) Gray box model Hybrid of the white and black box models Company gives tester partial information (e.g., OSs are used, but no network diagrams) Hands-On Ethical Hacking and Network Defense, Second Edition 9 What You Can Do Legally Laws involving technology change as rapidly as technology itself Keep abreast of whats happening in your area Find out what is legal for you locally Be aware of what is allowed and what you should not or cannot do Laws vary from state to state and country to country Hands-On Ethical Hacking and Network Defense, Second Edition 10 Laws of the Land Some hacking tools on your computer might be illegal Contact local law enforcement agencies before installing hacking tools Laws are written to protect society Written words are open to interpretation Government is getting more serious about cybercrime punishment Hands-On Ethical Hacking and Network Defense, Second Edition 11 Is Port Scanning Legal? Some governments do not see it as a violation Not always the case Be prudent before using penetration-testing tools Read your ISPs Acceptable Use Policy Internet Relay Chat (IRC) bot Program that sends automatic responses to users Gives the appearance of a person being present Hands-On Ethical Hacking and Network Defense, Second Edition 12 Federal Laws Federal computer crime laws are getting more specific Cybercrimes Intellectual property issues US Department of Justice - Computer hacking and intellectual property (CHIP) New government branch to address computer hacking and intellectual property crimes UK Computer Misuse Act (1990) UK PCeU - Police Central e-crime Unit Hands-On Ethical Hacking and Network Defense, Second Edition 13 What You Cannot Do Legally Illegal actions: Accessing a computer without permission Destroying data without permission Copying information without permission Installing worms or viruses Denying users access to network resources Be careful your actions do not prevent clients employees from doing their jobs Hands-On Ethical Hacking and Network Defense, Second Edition 14 Get It in Writing Using a contract is good business May be useful in court Books on working as an independent contractor The Computer Consultants Guide by Janet Ruhl Getting Started in Computer Consulting by Peter Meyer Internet can also be a helpful resource Free modifiable templates Have an attorney (solicitor) read your contract before signing Hands-On Ethical Hacking and Network Defense, Second Edition 15 Ethical Hacking in a Nutshell Skills needed to be a security tester Knowledge of network and computer technology Ability to communicate with management and IT personnel An understanding of the laws in your location Ability to use necessary tools Hands-On Ethical Hacking and Network Defense, Second Edition 16 Summary Companies hire ethical hackers to perform penetration tests Penetration tests discover vulnerabilities in a network Security tests are performed by a team of people with varied skills Penetration test models White box model Black box model Gray box model Hands-On Ethical Hacking and Network Defense, Second Edition 17 Summary (contd.) Be aware What you are legally allowed or not allowed to do ISPs may have an acceptable use policy May limit ability to use tools Hands-On Ethical Hacking and Network Defense, Second Edition 18 Summary (contd.) Laws should be understood before conducting a security test Get it in writing Use a contract Have an attorney read the contract Understand tools available to conduct security tests Learning how to use them should be a focused and methodical process Hands-On Ethical Hacking and Network Defense, Second Edition 19